GitLab API Client
Interact with GitLab API for managing projects, issues, merge requests, branches, pipelines, users, groups, and more. Use when the user needs to perform GitL...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 13 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (GitLab API client) match the included code (CLI that talks to a GitLab instance). However the registry metadata declares no required environment variables or primary credential, while the code and SKILL.md clearly require a GITLAB_TOKEN and GITLAB_URL in a .env file — an inconsistency that should be resolved.
Instruction Scope
SKILL.md instructs the agent may read/write ./ .env to manage GITLAB_URL but also insists NEVER to expose GITLAB_TOKEN. That is contradictory: reading .env will expose the token to the agent unless the agent explicitly avoids reading the token field. The instructions also force all API access through the bundled gitlab-client binary (no curl/wget), which the shipped code enforces. The allowed actions and file references are otherwise within the declared purpose.
Install Mechanism
No installer/downloads or remote installs in the skill bundle. The package is a Node CLI with a single dependency (dotenv) declared in package.json; SKILL.md asks users to run npm install locally. This is proportionate and low-risk compared to remote downloads.
Credentials
The skill requires a GitLab URL and a personal access token (GITLAB_TOKEN) to function, but the registry metadata lists no required env or primary credential. Also, the token is expected to be stored in a plaintext .env file under the skill directory — a sensitive secret stored on disk. The SKILL.md attempts to limit token exposure but simultaneously permits reading/writing the same .env file, creating a real risk of accidental exposure or exfiltration by the agent or other code.
Persistence & Privilege
The skill does not request always:true or any special persistent privileges, and it does not appear to modify other skills or global agent configuration. It behaves like a normal user-invoked CLI skill.
What to consider before installing
This package is a genuine-looking GitLab CLI, but pay attention to the token handling before installing:
- The skill requires a GITLAB_TOKEN saved in a .env file (in the skill directory), yet the registry metadata claims no credentials — verify the source and why metadata is incomplete.
- Storing a personal access token in plaintext .env under the skill folder is a security risk. Prefer using your platform's secret manager or placing the token in a secure file location with restricted permissions.
- SKILL.md forbids exposing the token but also allows the agent to read/write .env to manage GITLAB_URL; that contradiction can lead to accidental token leakage. If you install, ensure the agent is not allowed to print or transmit .env contents and consider setting GITLAB_TOKEN manually at runtime or using an env var injected by the platform rather than a file the skill can edit.
- Review the bundled gitlab-client.js (present here) to confirm no network calls other than to your GitLab host, and run the tool in an isolated environment first (or with a least-privilege token, e.g., read_api rather than full api scope) to test behavior.
If you can, ask the publisher to update registry metadata to declare the required credential and to document secure token handling; that would increase confidence in the package.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
GitLab API Skill
Node.js client for the GitLab REST API (v4). Reads config from ./.env.
Security Rules
- NEVER read, cat, print, grep, or expose the
GITLAB_TOKENvalue. - NEVER use
curl,wget, or any tool to call GitLab API directly. All access MUST go throughgitlab-client. - AI may read/write
.envto manageGITLAB_URL, but GITLAB_TOKEN must be set by the user manually.
Setup
Requires ./.env with:
GITLAB_URL=https://gitlab.fullnine.com.cn
GITLAB_TOKEN=<your-personal-access-token>
If token is missing, prompt the user to edit ./.env and create a token at <GITLAB_URL>/-/profile/personal_access_tokens (scope: api).
Install (first time): source ~/.nvm/nvm.sh && npm install
Quick Start
gitlab-client users me # Current user
gitlab-client projects list --owned # My projects
gitlab-client issues list --project 42 --state opened # Project issues
gitlab-client mrs create --project 42 --source-branch feat --target-branch main --title "My MR"
Commands Reference
Format: gitlab-client <resource> <action> [id] [--key value ...]
All list actions support --page N --per-page N (default 20, max 100).
Projects
| Action | Usage | Options |
|---|---|---|
| list | projects list | --search --owned --membership --visibility |
| get | projects get <id> | |
| search | projects search "term" | |
| create | projects create --name "name" | --description --visibility --namespace-id --initialize-with-readme |
| edit | projects edit <id> | --name --description --visibility |
| delete | projects delete <id> | |
| fork | projects fork <id> | --namespace |
| members | projects members <id> | |
| hooks | projects hooks <id> |
Issues
| Action | Usage | Options |
|---|---|---|
| list | issues list --project <id> | --state --labels --milestone --assignee-id --search |
| get | issues get --project <id> --iid <iid> | |
| create | issues create --project <id> --title "T" | --description --labels --assignee-ids --milestone-id --due-date --confidential |
| edit | issues edit --project <id> --iid <iid> | --title --description --state-event --labels --assignee-ids |
| close | issues close --project <id> --iid <iid> | |
| reopen | issues reopen --project <id> --iid <iid> | |
| delete | issues delete --project <id> --iid <iid> | |
| notes | issues notes --project <id> --iid <iid> | |
| add-note | issues add-note --project <id> --iid <iid> --body "text" |
Merge Requests
| Action | Usage | Options |
|---|---|---|
| list | mrs list --project <id> | --state --labels --milestone --source-branch --target-branch --search |
| get | mrs get --project <id> --iid <iid> | |
| create | mrs create --project <id> --source-branch "src" --target-branch "tgt" --title "T" | --description --assignee-id --reviewer-ids --labels --milestone-id --remove-source-branch --squash |
| edit | mrs edit --project <id> --iid <iid> | --title --description --state-event --labels --assignee-id |
| merge | mrs merge --project <id> --iid <iid> | --merge-commit-message --squash --should-remove-source-branch |
| changes | mrs changes --project <id> --iid <iid> | |
| commits | mrs commits --project <id> --iid <iid> | |
| notes | mrs notes --project <id> --iid <iid> | |
| add-note | mrs add-note --project <id> --iid <iid> --body "text" | |
| approve | mrs approve --project <id> --iid <iid> | |
| pipelines | mrs pipelines --project <id> --iid <iid> |
Branches
| Action | Usage | Options |
|---|---|---|
| list | branches list --project <id> | --search |
| get | branches get --project <id> --branch "name" | |
| create | branches create --project <id> --branch "name" --ref "main" | |
| delete | branches delete --project <id> --branch "name" | |
| delete-merged | branches delete-merged --project <id> |
Commits
| Action | Usage | Options |
|---|---|---|
| list | commits list --project <id> | --ref-name --since --until --path |
| get | commits get --project <id> --sha "abc123" | |
| diff | commits diff --project <id> --sha "abc123" | |
| comments | commits comments --project <id> --sha "abc123" | |
| add-comment | commits add-comment --project <id> --sha "abc123" --note "text" |
Repository / Files
| Action | Usage | Options |
|---|---|---|
| tree | repo tree --project <id> | --path --ref --recursive |
| file | repo file --project <id> --file-path "path" | --ref |
| raw | repo raw --project <id> --file-path "path" | --ref |
| create-file | repo create-file --project <id> --file-path "p" --branch "b" --content "c" --commit-message "m" | |
| update-file | repo update-file --project <id> --file-path "p" --branch "b" --content "c" --commit-message "m" | |
| delete-file | repo delete-file --project <id> --file-path "p" --branch "b" --commit-message "m" | |
| compare | repo compare --project <id> --from "main" --to "feat" |
Pipelines
| Action | Usage | Options |
|---|---|---|
| list | pipelines list --project <id> | --status --ref |
| get | pipelines get --project <id> --pipeline-id <pid> | |
| jobs | pipelines jobs --project <id> --pipeline-id <pid> | |
| job-log | pipelines job-log --project <id> --job-id <jid> | |
| retry | pipelines retry --project <id> --pipeline-id <pid> | |
| cancel | pipelines cancel --project <id> --pipeline-id <pid> | |
| create | pipelines create --project <id> --ref "main" | --variables "K1=v1,K2=v2" |
Groups
| Action | Usage | Options |
|---|---|---|
| list | groups list | --search --owned |
| get | groups get <id> | |
| projects | groups projects <id> | --search |
| members | groups members <id> | |
| issues | groups issues <id> | --state |
| mrs | groups mrs <id> | --state |
Users
| Action | Usage |
|---|---|
| me | users me |
| list | users list [--search "john"] |
| get | users get <id> |
| projects | users projects <id> |
Labels
| Action | Usage | Options |
|---|---|---|
| list | labels list --project <id> | |
| create | labels create --project <id> --name "bug" --color "#FF0000" | --description |
| edit | labels edit --project <id> --name "bug" | --new-name --color |
| delete | labels delete --project <id> --name "bug" |
Milestones
| Action | Usage | Options |
|---|---|---|
| list | milestones list --project <id> | --state |
| get | milestones get --project <id> --milestone-id <mid> | |
| create | milestones create --project <id> --title "v1.0" | --description --due-date --start-date |
| edit | milestones edit --project <id> --milestone-id <mid> | --title --state-event |
| delete | milestones delete --project <id> --milestone-id <mid> |
Tags & Releases
| Action | Usage | Options |
|---|---|---|
| tags list | tags list --project <id> | --search |
| tags create | tags create --project <id> --tag-name "v1.0" --ref "main" | --message |
| tags delete | tags delete --project <id> --tag-name "v1.0" | |
| releases list | releases list --project <id> | |
| releases create | releases create --project <id> --tag-name "v1.0" --name "R1" | --description |
Snippets
| Action | Usage | Options |
|---|---|---|
| list | snippets list --project <id> | |
| get | snippets get --project <id> --snippet-id <sid> | |
| create | snippets create --project <id> --title "T" --file-name "f" --content "c" | --visibility |
Search
| Action | Usage |
|---|---|
| global | search global --scope <scope> --search "query" |
| project | search project --project <id> --scope <scope> --search "query" |
| group | search group --group <id> --scope <scope> --search "query" |
Scopes — global: projects|issues|merge_requests|milestones|snippet_titles|users. Project: issues|merge_requests|milestones|notes|wiki_blobs|commits|blobs. Group: projects|issues|merge_requests|milestones.
Runners
| Action | Usage | Options |
|---|---|---|
| list | runners list --project <id> | |
| all | runners all | --type --status |
Webhooks
| Action | Usage | Options |
|---|---|---|
| list | hooks list --project <id> | |
| create | hooks create --project <id> --url "url" | --push-events --merge-requests-events --issues-events --token |
| delete | hooks delete --project <id> --hook-id <hid> |
Usage Notes
- Auth: Uses
PRIVATE-TOKENheader. Scopes:api(full),read_api(read-only),read_user,read_repository. - Project ID: Use numeric ID or URL-encoded path (
my-group%2Fmy-project). - Output: JSON. Pipe to
jqfor filtering:gitlab-client projects list | jq '.[].name' - Dates: ISO 8601 format (
YYYY-MM-DDTHH:MM:SSZ). - Labels: Comma-separated:
--labels "bug,feature,urgent". - Errors:
401unauthorized,403forbidden,404not found,422validation,429rate limited.
Files
4 totalSelect a file
Select a file to preview.
Comments
Loading comments…